VMware Cloud Community
Steve_Peck
Contributor
Contributor
‎01-20-2010 10:05 AM

vCenter security: isolation by subnet

We are in the planning stages of upgrading to vSphere 4. We're going to build a new vCenter Server and we're discussing security as it relates to isolating vCenter by subnet. I did some searching for best practices but haven't found any info so far.

Should the vCenter Server be in a different subnet then the ESXi 4.0 Hosts it manages? If so, or not, can anyone point me to documentation about this subject?

Thanks much in advance,

Steve Peck

Portland, OR

0 Kudos
3 Replies
msemon1
Expert
Expert
‎01-20-2010 12:15 PM

The ESX hosts do not have to be in a separate subnet as VC. For added security you can use firewall, VLAN's or iptables.

Mike

danm66
Expert
Expert
‎01-20-2010 06:42 PM

If anything, I would put VC on same subnet as the hosts. If they have to go through a firewall to talk, then you have a new dose of ports to manage and the question of firewall rules any time something doesn't work.

If you have multiple nics/IP's on the VC, make sure that the hosts resolv the "inside" or "mgmt" IP address to the VC, so they don't try to connect to it through extra hops.

I don't know of any docs for that info, but there is a hardening guide. iirc, it''s at vmware.com/security .

Steve_Peck
Contributor
Contributor
‎01-21-2010 09:51 AM

Thanks msemon1 and danm66 for your responses. Due to some regulatory, compliance, and political concerns we're going to isolate the vCenter Server behind a firewall and task the Network team to create the ACLs which allow it to connect to the Hosts, etc.

Sometimes 'easier' just doesn't cut it. Smiley Happy

Steve

0 Kudos